Dumb information security common in tech industry #venmo #facebook

Dumb information security common in tech industry #venmo #facebook

I have an email address at a popular “free” email service. For unclear reasons, I receive a LOT of email intended for other people with similar names. Last week I received someone’s divorce Court Order and also a police report. I have also received a draft copy of an expose investigative report prior to publication – for review! I received the comprehensive final exam for a major course at a major university – for review – seeking comment and noting how important it was to keep this exam confidential. I replied that sending it to the wrong people was not a good way to insure security.
This kind of stuff is received – misdirected to me – every week.
Today I received first this email:

Obviously, this is not me. I did not verify this email. Yet before this address has even been verified, I received this 2nd email from venmo showing that a debit card has been added to the account:

At this point the account is unverified. I could, if I wanted to, click on the verify link, then say I forgot my password at the login screen and undoubtedly have them send me a link to reset the password – after which I would be in the account.
And since venmo is an online service for sending payments to people or making purchases, I could then use the account – which is now linked to a debit card apparently – to spend someone else’s money.
Incredibly, this sort of gaffe happens every week. I frequently receive misdirected email from places such as health care providers and health insurers where they have the wrong email address. Again, since they have the wrong email address  – they have not verified it – I can easily get into the accounts by saying I lost the password. This boggles my mind.
And yes, I’ve done this twice when I received emails for something that seemed important. I logged in to their account, just as I described, got their phone number from their customer info on file and called them to explain what had just happened. I don’t do that anymore – sorry Dish Customer with a similar name who sent your bills to me until your service got cut off…
I tried to contact venmo to ask them about this but their online Contact Us feature requires that my name *and* phone number be registered to report their security hole to them. Since I do not know the phone number, I’ll just publish this here and see if they catch on.
Update: I’ve messaged them on Twitter.

Comments are closed.